mysql_real_escape_string

[c_pattle]

I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values.  However this means that if the user puts something in speech marks such as

 

"hello"

 

It will then show up in the database as

 

\"hello\"

 

This means that whenever I fetch anything from the database it will have slashes in which doesn't look good.  How do other people get round this problem.  When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method?

 

Thanks for any help. 

[btherl]

Check that you don't have magic_quotes enabled, and also check that you are not calling mysql_escape_string() twice on the same data.  If escaped correctly, you will not have the backslashes in the database.

[jaikob]

Use stripslashes()

 

http://php.net/manual/en/function.stripslashes.php

[c_pattle]

 

 

Thanks, I don't think I'm escaping the fields twice.  I've copied below my code.  Am I escaping it twice?

 

$submit_sql = sprintf("insert into reviews (review_name, review_content, review_summary) values (\"%s\", \"%s\", \"%s\")", mysql_real_escape_string($_GET['submit_film_name']), mysql_real_escape_string($_GET['submit_film_content']), mysql_real_escape_string($_GET['submit_film_summary']));

[btherl]

In that code you pasted, you are escaping the strings once.  You probably have magic quotes on.